Can this be XSS-ed?

Question

EDIT: My question wasn't how to prevent XSS as I already know how to, but it was if a user can bypass the double-quotes removal. Thank you though :)

Is this vulnerable to XSS:

<img src="" alt="<?php echo str_replace('"', '', $_POST['imageDescription']);?>" title="Image">

e.g if the user types "><script>alert('hacked');</script> that won't work since double quotes are stripped out, but can this still be XSSed? I always validate data but I was just wondering.

Possible duplicate of [How to prevent XSS with HTML/PHP?](http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) — Martin, Sep 22 '16 at 10:40
Your question is asking how to prevent XSS, in a certain situation. If you already know how to prevent XSS then why do you not employ that method on this question? The double quote string replace could *maybe* be bypassed if the POSTED data is of a certain obscure character set and the POSTed data is formatted a certain way, but these attempts are nullified by following the advice given on the other, referenced, original question. — Martin, Sep 22 '16 at 11:03
Improvements (these are a bit overkill): 1) use `mb_string` to set PHP and HTML character sets to UTF-8. 2) [force POSTed data to UTF-8 character set](http://stackoverflow.com/questions/7979567/php-convert-any-string-to-utf-8-without-knowing-the-original-character-set-or) (ignore odd charsets that get mangled by this, they shouldnt be submitted anyway), 3) use a regex replacer for the quote marks, rather than a string replacement. — Martin, Sep 22 '16 at 11:07
@Martin No: _I always validate data but I was just wondering._ I already use the UTF-8 char sets. However I was curious to know if the double-quotes removal can be bypassed since characters like > and < aren't encoded inside the alt attribute (not on my website but for educational purposes) — Jade Kallo, Sep 22 '16 at 11:17
The `str_replace` functionality can be subverted as per the examples on [the `str_replace` manual page](http://php.net/manual/en/function.str-replace.php). *Because str_replace() replaces left to right, it might replace a previously inserted value when doing multiple replacements.* — Martin, Sep 22 '16 at 11:32

ChristianF · Answer 1 · 2016-09-22T11:58:44.500

Yes, it's still vulnerable to XSS. There exists many techniques that can foil this, and granted a whole lot I don't know about. One thing I'm fairly certain can be abused to circumvent this, is by sending invalid UTF-8. Which, when run through your code (or by other means) is then transformed to a valid " character. Thereby not only circumventing your efforts, but relying upon them to accomplish the XSS-attack.
Granted it takes a bit more work, but those who does these kind of things don't mind the extra work.

What you've done here is called "blacklisting", meaning that you've removed/disallowed what you think is harmful. The problem with this approach is that you have to know everything that's harmful, both now and in the future, for this to be effective. Naturally, no-one can do that.
The sibling method of this is called white-listing, in which you allow only input which you know you want. Ensuring that the room for shenanigans is as narrow as possible, and in some cases completely gone (if sufficiently small list).

However, none of these are 100% sure to to avoid XSS attacks. The only thing that can do this, is output escaping. In the case of HTML, the function to do this is htmlspecialchars(). I recommend reading the manual for it, and pay particular care to the notes for it.

@Quentin I've updated my post to explain at least one possible attack vector. — ChristianF, Sep 22 '16 at 11:59

score -1 · Answer 2 · edited May 23 '17 at 11:53

-1

A post in security.stackexchange explains about this. Apparently, it is not possible to XSS in an alt image if you replace the double quotes.

However, it is best not to reinvent the wheel when you're dealing with potential security issues. Use proven methods.

Use htmlspecialchars() when you're echoing PHP data into HTML so that any HTML symbols are converted into non-dangerous characters.

For more information on how to avoid XSS attacks, look here.

edited May 23 '17 at 11:53

Community

1
1

answered Sep 22 '16 at 10:35

GiamPy

3,543
3
30
51

1

How could using a single quote inject an XSS attack **in the middle of an alt attribute delimited with double quotes**? (Using `htmlspecialchars` is still best practice though). – Quentin Sep 22 '16 at 10:38
1

I was wrong. I tested it myself and it can't work. I mean, you can't inject like that because of the `str_replace`. – GiamPy Sep 22 '16 at 10:46
"Maybe not by using the method you've used in the example, but in some other way." — What other way? If you can't name one, then you're just guessing. – Quentin Sep 22 '16 at 10:49
It seems like there's no way to do it if you escape the double quotes. I am sorry. Take a look at the edited answer. – GiamPy Sep 22 '16 at 10:52
if the POST string is of a certain character sets you can generate certain characters by removing what appears to be a `"` and the remains could be "half characters" which can be valid ascii characters in their own right. this is how `mysqli_escape_string` can be sidestepped. Also note that `str_replace` doesn't work over any part ofthe text twice, if removing one `"` leaves another `"` in place, that will not be removed by default. – Martin Sep 22 '16 at 10:55
Recommended to ensure the POSTed values are not spurious character sets and force these values to be utf-8 using `mb_string` Also possibly get the str_replace to run twice, to be totally sure that as bad characters are removed, others are not "revealed". – Martin Sep 22 '16 at 10:56
[reference](http://stackoverflow.com/a/12118602/3536236) -- which specifically for SQL, this reference is for dealing with Character sets in general. I don't think default POST character sets allow for the above described bridging to make special characters "appear" – Martin Sep 22 '16 at 10:58

Can this be XSS-ed?

2 Answers2